VMSA-2008-00010 : Updated Tomcat and Java JRE packages for VMware, ESX 3.5 and VirtualCenter 2.5 (DEPRECATED)

This script is (C) 2009-2012 Tenable Network Security, Inc.


Synopsis :

The remote VMware host is missing one or more security-related
patches.

Description :

Updated ESX patches and VirtualCenter update 2 fix the following
application vulnerabilities.

a. Tomcat Server Security Update

This release of ESX updates the Tomcat Server package to version
5.5.26, which addresses multiple security issues that existed
in earlier releases of Tomcat Server.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2007-5333, CVE-2007-5342, CVE-2007-5461,
CVE-2007-6286 to the security issues fixed in Tomcat 5.5.26.

b. JRE Security Update

This release of ESX and VirtualCenter updates the JRE package
to version 1.5.0_15, which addresses multiple security issues
that existed in earlier releases of JRE.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-1185, CVE-2008-1186, CVE-2008-1187,
CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191,
CVE-2008-1192, CVE-2008-1193, CVE-2008-1194, CVE-2008-1195,
CVE-2008-1196, CVE-2008-0657, CVE-2007-5689, CVE-2007-5232,
CVE-2007-5236, CVE-2007-5237, CVE-2007-5238, CVE-2007-5239,
CVE-2007-5240, CVE-2007-5274 to the security issues fixed in
JRE 1.5.0_12, JRE 1.5.0_13, JRE 1.5.0_14, JRE 1.5.0_15.

Notes: These vulnerabilities can be exploited remotely only if the
attacker has access to the service console network.
Security best practices provided by VMware recommend that the
service console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.

See also :

http://www.vmware.com/security/advisories/VMSA-2008-0010.html
http://lists.vmware.com/pipermail/security-announce/2008/000031.html

Solution :

Apply the missing patch(es).

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)